In response to https://httpoxy.org/ (which has no actual ASF vulnerability we are aware of) the HTTP, Tomcat and ATS projects collected feedback, along with validation from the Perl project;
https://www.apache.org/security/asf-httpoxy-response.txt Does it make sense to blog this, or at least R/T from @TheASF?